@sc. QUALYS SECURITY CONFERENCE 2018 


Approach to Securing the 


ity and Comprehensive Security for Cloud workloads and 


ict Management, Qualys, Inc. 


Agenda 


“Shift Left” Migration & Requirements 


Your responsibility in cloud security 
Customer Case Studies 


Qualys Security for hardening and 
standardizing workloads 


Qualys security for Infrastructure 
Use Cases & Demo 


Q&A 
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The Big Migration... in security, it is happening.. 
Continuous Secure Development and Deployment 


a SECURITY AT DEVELOPMENT 
[zm © 


Y Static Code Analysis 
DEVELOPERS 


Y Vulnerability Management 


Y Web Application Scanning 
e SERA SECURE v Compliance Checks 
(u LE e CI/CD Y Configuration Assessments 
OPERATIONS 
SECURITY AFTER DEPLOYMENT 
9 > Vulnerability Management 
E > Compliance Checks 
"TS © Kee » Configuration Assessments 


» Web Application Scanning 
SECURITY » Web Application Firewalls 
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DevOps/DevSecOps Requirements... 


A S | Eg: | 
EZ > e, m" Jenkins b os puppet > DevSecOps Engineer 
</> €, Bamboo eM Responsible for 


DEVELOPERS Fog factory ANSIBLE automating 


security checks 
| | and remediating 
viable security 
threats in 
development/ 


deployment 
practices 


AUTOMATION & ACTIONABLE DATA .... 
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The New IT - 
Hybrid, Multi-Cloud Deployment 


A Azure Google Cloud Platfor m 


S 


ON-PREMISE* PUBLIC CLOUD 


Shared Security Responsibility Model 


are responsible for securing 
your data and workloads 


Customer Cloud Provider 


Varies by layers 


Image from Microsoft Azure Shared Security Responsibility 9 Qualys 


Securing Cloud Workloads 


Hardening and Standardizing 


VULNERABILITY 
MANAGEMENT 


* Vulnerability Management 
(Internal & Perimeter) 

* Threat Protection 

* Indicators of Compromise 

e Patch Management? 


POLICY COMPLIANCE 


* Policy Compliance (incl. 
Secure Configuration 
Assessments) 


* File Integrity Monitoring 


Q 


APPLICATION 
SECURITY 


* Web Application Scanning 
(WebApps and REST APIs) 
* Web Application Firewall 
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Securing 
° Capital 
Public Clouds Eer 


Using Qu alys Reduced application 


24 hrs by automating 
security with Qualys in 


Customer Case Studies 


A SOFTWARE a A BEVERAGE a 


MAKER Q MNC Q 


"Just in time" security 


approvals with end to Enabling DevOps with 
End integration of automated agent 

Qualys Scan and Reports deployment via Azure 
with Service Now, Security Center 
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CapitalOne 
Before: Lack of Security Automation 


Delays Release 


Machine = 
Builders Ce 


Two weeks until the Image (AMD is certified for production 


9 Qualys 


Capital One 
Introducing Security at the Source Bake 
Qualys Security into Gold Images and AMI 


APPROVE and 


GOLD E QUALYS ASSESS HARBENDED 
an 
> ON DEV > NETANE D PUBLISH 
AMAZON MACHINE INSTANCES CI/CD PIPELINE 


IMAGE (AMI) 


Ed 
OG 


Custom 


Live Instances 


Bakery process happens within 24 Hrs 
© Qualys 


"Security as Service” 


Integration between Service Now and Qualys 


Challenge 


* Moved almost all datacenters to AWS 


* Keeping up with security “Just in Time” projects with multiple teams 
submitting requests for spinning up infrastructure 


Requirement 
e Automate Vulnerability Mgmt. from Connectors, Scans, and to Results 
* Integrate into Service Now for end to end invocation 


Solution 


Invoke Scan 
process 


Create EUN results 
Ticket EUN link to 53 
bucket 


PUE servicenow. 


Close 
Ticket 
Incl. 
Vuln. reports 


o0 - 


Pre-Authorized WS 
Scanner Appliances 


AWS VPC 


er 


Company Profile 
Makes software for architecture, 
Engg. , construction and Media 


INDUSTRY: Software, Media, 
Manufacturing 


REGION: USA 


CLOUD: 
Primary Cloud - AWS 
Secondary Cloud- Azure 


DEPLOYMENT REGION: 
US East, West 


SERVICES USED: 
e e RDS Eine, SIS S: 
Containers 


QUALYS USAGE: 
VM, AV, Scanners 
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A Beverage MNC Company e 


Qualys Automation within Azure Security Center 


Fast growing deployment in Azure 
( added 10K instances in 6 months) 


Problem? 


Ops wants to simplify the process of 
security tools rollout 


Security wants to participate into 
DevOps 


Solution 


Utilizing Qualys integration with 
Azure Security Center 


Utilize ASC automation to bake 
agents into test subscription and 
review reports with ASC 


ulnerabilities (by Qualys) — 2 "8 * OG hsrinivasan@qualys.c.. NE 


DEVPASSPORTQUALYS (DEA. “Gp 
Remediate vulnerabilities (by Qualys) = EU X 


PREVIEW 


Y Filter 


^ 


VULNERABILITY NAME VENDOR ^ AFFECT... ^ STATE Xs SEVERITY ^ 


© recent 


Or Enabled DCOM Qualys harivm2 Open O High 


EI Virtual machines (classic) Allowed Null Session 


Qualys harivm2 Open Å Medium 


WE Virus machines 


Enabled Cached Logon Cre... Qualys harivm2 Open Å Medium 


T SA databaser 


Machine Information Discl... Qualys harivm2 Open A Medium 


$ Goud services (dassi) 


Microsoft Windows Explore... harivm2 A Medium 


"I Sege Qualys Open 


Subscriptions Windows Explorer Autopla.. Qualys harivm2 Open Å Medium 


More services > 


Access to File Share is Enab... Qualys harivm2 Open O Low 


ActiveX Controls Enumerated Qualys harivm2 Open O Low 


Antivirus Product Not Dete... Qualys harivm2 Open 6 Low 


Disabled Clear Page File Qualys harivm2 Open O Low 


Enabled Caching of Dial-up... Qualys harivm2 Open O Low 


Enabled Display Last Usern... Qualys harivm2 Open @ Low 


File Access Permissions for... Qualys harivm2 Open O Low 


File Access Permissions for... Qualys harivm2 Open O Low 


Host Scan Time Qualys harivm2 Open © Low 
Hyper-V Host Information... Qualys harivm2 Open O Low 
Installed Applications Enu... Qualys harivm2 Open O Low 9 Qualys 


Internet Protocol version 6... Qualys harivm2 Open @ Low 


New and 
Upcoming 
Features 


Simplifying 
Perimeter 
Vulnerability 
Detection 


Support for Azure 
and Azure Stack 


Cloud 
Perimeter Scan 


Launch DNS based scans on public 
instances auto selected from your 
account via connectors 


Add Elastic Load Balancer DNS 


Generate results with external only 
remote check vulnerabilities 


Supports AWS EC today, Azure, 
GCP supports coming soon 


Vulnerability Management v 


Dashboard 


LS Scans 


v 


Cloud Perimeter Scan 


Scans Reports Remediation 


Scans Maps Schedules 


New y | Search | Filters vw My Scans | Auto selects 


Scan Public 
| EC2 Scan Instances. 
Schedule Scan 
Add Load 


Balancer's DNS 


Host b 


Launch Cloud Perimeter Scan 1 rn help tips: 


| Off 


Launch Help 


Step 3 of 6 


o Scan Details 


o9 Target Connector 


Target Hosts 


Filter by Specific Tags 


Include hosts that have Any ` e ofthe tags below 


eo Target Hosts (Optional) 


4 


Scheduling (Optional) 


Add DNS List (For intenet 


t facing ELBs) 


Remove Selected Remove All 


Assigned Hostnames: 


ontinue 


Azure 
Connector 
in Asset View 


Coming Jan. 2019 


Dashboard Assets Templates Connectors 


Step 1 of 4 


o Connector Details 


A 


* Subscription ID Last $ync Errors Moses Asset Count Regions 
emner ` mono - so au | Kelt 


Turn help tips 1 Off Launchhelp X 


Connector Details 


Name* (*) REQUIRED FIELDS 


[example: My Connector 


This field is required 


Description 


Set up authentication details 
Create an application in active directory and provide reader role access to the subscription. 


Application ID 


[ 


Directory ID 


Authentication Key 


Subscription ID 


Azure Scan Flow 


Be MN e 
on Azure Internal 


(Private) and 
External 

(Public )Virtual 
Machines Scanner 


Step 3 of 6 Target 


Launch by Virtual 
Machine ID and NOT 
by IP 


Report by Virtual 
Machine IDs 

Coming Jan. 2019 

(€ Qualys 


Securing Azure Stack using Qualys 
Qualys is the only distributor of Infra's VM,PC reports 


Q 


Y Qualys Security Solution 
suite - VM, PC, AppSec,. 


A Azure 


v Network Scan using Qualys 
Vulnerability Management 
v 


Vulnerability and Compliance 


Inf Reports available from MSFT 
nfrastructure Revie cl 


HD)» 


Azure Stack 


Register @ httos://www.qualys. com/azure-stack/ 


© Qualys. 


Cloud Workload Security with Qualys 


laaS Al |. ow 
0000 
0000 
var Ø 

PaaS* e 


© 


aWws O "a Alibaba Cloud ORACLE 
Azure C J aliyun.com 
Se) A Coogle CIA Paton ú å SE 


* PaaS - Cloud Database Scanning - Roadmap 1H ‘19 
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Integrating within the process and response 
pipeline with Partners 


rd Le] illumio 
Configuration and Change >. 

Management puppet 
Keeping track of assets (CMDB) servicenow 
SE data into SIEM for splunk> 
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V. Security Center - Overview > Recommendations 


Cloud Integrations 


Azure Security Center (VM) r~ 
“Production d 


AWS Security Hub X Security Hub > Insights 
(beta) 


Insights (37) info 
Summary 


AWS Security Hub = : : =} Google Cloud Platform Myorg v Q 
- Public Preview - Nov 28, 2018!!! | 


at e Security Command Center 


DASHBOARD ASSET INVENTORY FINDINGS 
e 
LA 
e Assets Findings 
e e en 
Google Security Command Center oo = 
n 2) ] 8 Finding source Findings Severity Level Count Asset Count 
- Beta in December 20 TEGE 
Qualys 15 
Severity 4 3 1 
EchoSource 5 
Severity 3 i 2 
Foxtrot Source 0 
Severity 2 5 1 
VIEW ALL FINDINGS Seve 2 2 


Other Integrations 
IBM Security Center ec Que rige summary 


- Dec2018/Jan 2019 eg l 
ipia : | Foxtrot Source 


Finding D 


Alibaba Security Center "emm i MN 
= 9/02 2019 
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Qualys Cloud 
Apps in AWS 


Marketplace 


Vulnerability Mamt., 
Policy Compliance, 
Web Application Scanning 


Soon.. 

Web Application Firewall 
Cloud Security Assessment 
Container Security 

File Integrity Monitoring 
Indication of Compromise 


= vr aws marketplace 


and elastic clouds. Founded in 1999 as 
one of the first SaaS security companies, 

Qualys has established strategic © 
partnerships with leading managed Qualys. 
service providers and consulting 

organizations including Accenture, BT, 

Cognizant Technology Solutions, 

Deutsche Telekom, Fujitsu, HCL 

Technologies, HP Enterprise, IBM, Infosys, 

NTT, Optiv, SecureWorks, Tata 

Communications, Verizon and Wipro. The © 
company is also a founding member of Qualys 
the Cloud Security Alliance. For more 
information, please visit www.qualys.co 


NEW LISTINES — ©. 


showing 1-5 


» AWS Marketplace on Twitter Œ AWS Marketplace Blog 


Sign in 


Qualys Virtual Firewall Appliance HVM 


# tx dx dx (0) | Version Qualys-WAF-AWS-1.4.0 | Sold by Qualys, Inc. 


The Qualys Web Application Firewall Virtual Appliance 

extends the reach of the Qualys Cloud Platform's integrated 

suite of security and compliance SaaS applications into the... 
Linux/Unix, CentOS 6.9 - 64-bit Amazon Machine Image (AMI) 


Qualys Vulnerability Management (US Only) 


zë (0) | Version 1 | Sold by Qualys, Inc. 


Get access to the industry's most advanced, scalable, and 
extensible solution for vulnerability management. Qualys VM 
continuously scans and identifies vulnerabilities, protecting... 


Qualys Policy Compliance (US Only) 


# # # (0) | Version 1 | Sold by Qualys, Inc. 


Qualys Policy Compliance (PC) is a cloud service that 
performs automated security configuration assessments on 
your IT systems. It helps you to reduce risk and continuously... 


A RSS Feed 
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Cloud Infrastructure 


Australian Insurance Company 


Visibility of deployments stop misuse 


of keys 


AWS sent a notice of compromised keys 
A attempting to create multiple accounts in EU 


Use Case 


Identify the resources in EU region, find the 
Amazon S3 buckets which are open to 
public and have the keys stored 


Requirement 


e identify where the deployments are 
located 


Company Profile , 
Largest provider of Auto ~ 
and Agriculture insurance 


INDUSTRY: Insurance 


REGION: Australia 


CLOUD: 
Primary Cloud - AWS 
Secondary Cloud- Azure 


DEPLOYMENT REGION: 
Australia 


SERVICES USED: 
EC? S3 RDS EMR Cloud 
Front 
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We need to secure against... 


Misconfigurations 


Er = e 
Malicious behavior =P , 
Non-standard deployments pene. Ste: Administrative 


access 


© Qualys 


Qualys Cloud 
Inventory and 


Security 

Assessments 

Unparalleled Visibility and Cloud Cloud 
Continuous Security Monitoring Inventory Security 
across public cloud infrastructure Assessment 


aws 
eT) 


Google Cloud Platform 


Use Case #1 
Visibility into 
your public clouds 


View into 
* Resource Distribution by Type 
* Resources by Region 


Personalize and add custom widgets 


CloudView TRIAL 


DASHBOARD 


RESOURCES 


POLICIES CONFIGURATION 


AWS Dashboard w 


Last 30 Days Y 


RESOURCE DISTRIBUTION BY TYPE 


SECURITY POSTURE BY REGIONS 


es 


TOP 5 ACCOUNTS BY FAILED CONTROLS 


383031258652 


21 


es 
92 


FAILURES BY CONTROL CRITICALITY 


Total Failures 


348 


B HicH 226 
ME MEDIUM 122 


All Regions 


Total Resources 


402 m i | I E 


out... Secu..Instance VPC 


Total Failures 


348 m inn 208 C 
o ge t 122 


TOP 5 FAILED CONTROLS 


Ensure IAM policies are attached only to groups or rol 


criticality PENI 

Ensure access key1 is rotated every 90 days or less 
criticality ESCH 

Ensure no security groups allow ingress from 0.0.0.0/ 


Criticality ES? 


Ensure the default security group of every VPC restrict 


Criticality EZ 


Use Case #2 
© Qualys. Enterprise 


ð Identify Leaky emgeet 
S3 buckets 


Misconfigured S3 Buckets are 
vulnerable for data leaks X service tpe t 


>< resource.type:"S3 Bucket" and s3.isPubliclyAccessible: true 


26 EUER 


Total S3 Buckets DEE 


0 18th Oct 22nd Oct 


312 169 143 143 jo 0 
Cee Une So BUcKel Aceess | 


Permissions Regularly 
e Review Access Control List | — 
e Check Bucket Policy k Ensure S3 Bucket Policy does not allows anonymous access RER S3 64 AS 


45 S3 Bucket Access Control List Grant Access to Everyone or Authenticate... S3 62 16 
Policy : AWS Best Practices Policy 


Policy : AWS Best Practices Policy Total Resources: 78 


47 Ensure access logging is enabled for S3 buckets KEN S3 19 59 
= 


Policy : AWS Best Practices Policy Total Resources: 78 


48 Ensure versioning is enabled for S3 buckets KEN S3 24 54 


Policy : AWS Best Practices Policy Total Resources: 78 


Use Case #3 


e Detect 
Compromised 
IAM Users 


Check for: 


* Configure Strong Password Policy for 
Account 


* Enforce MFA for Console Users 
* Rotate IAM Access Keys Every 90 Days 
* Removed Unnecessary Credentials 


Audit Process 


* Create separate user for console & AP 
access ( Segregation of duty) 


* Track password age 
* Deactivate unused keys 


CloudView 


Amazon Web Services w 


21 


Total Controls Evaluated 


CONTROL RESULT 

FAIL 20 
PASS 1 
ACCOUNT 

383031258652 21 
457721770691 20 
344440683180 9 
CONTROL CRITICALITY 

HIGH 18 
MEDIUM 


DASHBOARD RESOURCES MONITOR 


POLICIES CONFIGURATION 


Hari Srinivasan ( 


service.type:"IAM" 


EVALUATIONS 


Total Evaluations 


661 


251 410 


Ensure multi-factor authentication (MFA) is enabled for all IAM users that... 
Policy : CIS Amazon Web Services Foundations Benchmark 


Ensure console credentials unused for 90 days or greater are disabled 
Policy : CIS Amazon Web Services Foundations Benchmark 


Ensure access keys unused for 90 days or greater are disabled 
Policy : CIS Amazon Web Services Foundations Benchmark 

Ensure access key1 is rotated every 90 days or less 

EEE a ae a 1 ` 


FAILURES BY CRITICALITY 


256 154 


High Medium 
1-21 of 21 
KEN IAM 
KEN IAM 
IAM 
IAM 


© Qualys 


Australian Insurance Company 


Visibility of deployments stop misuse 
of keys | 


AWS sent a notice of compromised keys Largest provider of Auto ~ 
2 : : and Agriculture insurance 
A attempting to create multiole accounts in EU 


. INDUSTRY: Insurance 
Requirement 
e Identify where the deployments are located REGION: Australia 
* |dentify S5 buckets that are public and fix it 


* Ensure best practices are followed by IAM users of the account rd 


Primary Cloud - AWS 
Secondary Cloud- Azure 


Solution 

With Qualys Cloud Inventory and Assessment rues ET REGION: 
Y Gain visibility into the global deployments 

Y Identify S3 buckets that are public and required fixing SERVICES USED: 

Y Identify the IAM users and their security posture EC2, S3, RDS, EMR, Cloud 


Front 


9 Qualys 


Visibility - Get started with a 


FREE service 


CloudView 
A FREE inventory and monitoring 
service for your public clouds 


Use Case#4 
Misconfigured 


Security 
Groups 


Security groups with default 
rule, allowing access on port 
20105500 


With Qualys Vulnerability 
Mgmt. - Identify Security 
Groups exposing Vulnerable 
instances 


X service.type:"VPC" 


EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY 
630 383 247 110 137 0 
Total Evaluations Pass Fail High Medium Low 
1-40f 4 
GID 
41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 KEN VPC 162 83 


List View 


X resource.type:"Instance" and securitygroup.inboundRule.fromPort:22 and securitygroup.inbo 


Ens 
Polic ule.ipv4Range:0.0.0.0/0 and (not instance.publicIpAddress is null) 
Ens E 
Polic] = 
= i EEE pU wat 
Er E —— = 
0 4 18hot  20m0t  : 30thOct ` SthN TthNo 


*] Resource Summary 


i-053a4ff0c8841c8de 457721770691 N. Virginia t2.micro Running 
lambda. test 

i-0c84632aeb811f045 457721770691 Ohio t2.micro Running 
WinApp_1 

i-0fd488181b8329f15 457721770691 Ohio t2.micro Running 


IT App. internal. 1 


Use Case#5 
Correlate with 


Vulnerability 
Data 


Identify vulnerable 
instances associated with 
the security groups 


Reduce effort to pull info 
to SIEM for correlation 


© Qualys. Enterprise 


< Resource Details: sg-08e84245777aa2a62 


Summary Associations 
Rules 

Instances 
Associations 
Tags 


Controls Evaluated 


i-0b0c3f79a6df4ac05 
AJMdkrh03 


i-056756d302b6dbddb 
AJMdkrh02 


i-04b5914b57a4f0055 
Win2016. Test SMN 


i-09f0a433571db4e0d 
ssm-Windows2008R2 


i-074f89785daa759ad 
Ubuntu-Test-SMN 


i-0b49e28d2d963c228 
srv2_grp1 


i-0f40566c694a67ffb 
AJMdkrh01 


ELB 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


Reference Security Groups 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


running 


running 


running 


running 


running 


running 


running 


1-12 of 12 


1 

— 

1 

ET 

14 
= UN 

0 

0 

0 

1 

m1 
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New and 
Upcoming 
Features Remediations 


[hreat Analysis 


Reports 


Threat Analysis 


Correlating Vulnerability data to provide risk insights 


Use Cases 

Security Groups allowing 
access on the same ports 
where network vulnerabilities 
have been identified 


Vulnerable EC2 Instances 
with Instance profiles 
accessing S3 buckets 


Coming Dec. 2018 


© Qualys. Enterprise 


< Resource Details: sg-5c324e25 


Summary 


Threat Details 


IMPACTED RESOURCES 


Rules 
Associations OPEN PORT VULNERABILITIES 
at 


PORTS WITH TREATS 
Tag 
mon kee 


Threats 
Controls Evaluated 


240) mer Siu 


Actions v | | Show Issues by: Ports 
RULES 
PORT TYPE PROTOCOL PORT RANGE SOURCE PORT WITH THREATS IMPACTED INSTANCES `  VULERABILITIES 
80 Custom TCP 0-100 0.0.0.0/0 9 2 2 
8080 Custom TCP 8080 0.0.0.0/0 9 2 2 


© Qualys 


Remediation 
Automate in real time actions to protect against risks 


Make the object private, 
where necessary 


User AWS Lambda 
, PutObject —o— ii © Deliver event when (fr 


PutObjectAcl the rule matches 


Lambda function that Integration into Qualys 
reads the state of the S3 Cloud View (Coming in 
bucket, updates to make Q1'2019) 
bucket and its object 
orivate. e Collect evaluation results 

* Execute update 

permissions 
© Qualys 


Coming 
Jan'19 


Cloud Infrastructure Reports 


9 Qualys. Enterprise 
Generate reports for CIS 
CloudView DASHBOARD RESOURCES MONITOR REPORTS CONFIGURATIONS Dave Jones (ayays. dj) 


Benchmarks, mandates 
like PCI, HIPAA, MEN EE 
EON NIST 3005 å 


: : ; Actions v 
Configure for specific fe. 


REPORT TITLE 
PCI Report for MyAWS Storefront 


accounts, and regions PCI Report for MYAWS GER meer 


Created date: 05/23/2018 at 00:09:52 Company: Qualys 


Run NOW Created by: Hari Srinivasan Address: 501 The Metropolitan 
User name: quays qd Wakdewadi 
CIS Report for myaws DE Fobi Kor Pune, Maharashtra 411005 
Schedule reports for og 
Report Settings 


daily, weekly or monthly Een. DINH 


Template: Payment Card Industry Data Security Standard (PCI - DSS) v3.2 
Report Summary 
Mandates: Requirements: PCI-DSS 
96.6% 
Connector Name: Account ID: Controls: Total Evaluations: Policies: 
MyAWS Storefront (383031258652) 44 294 1 


Coming Jan. 2019 EMG 


Requirement Posture 


Requirement Posture for Payment Card Industry Data Security Standard (PCI - DSS) v3.2 


land m 


Coming 


Azure CIS 1.0.0 Benchmark Controls ™” 


O h CloudView © DASHBOARD RESOURCES MONITOR POLICIES CONFIGURATION Raghav Kulkarni (quays. rk) * 
~ 40 checks 


Microsoft Azure v 


Azure Assets Evaluated 
5 AZ w re V | fale Uu a | M a G h | N e S 3 1 EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY 
, Azu re Virtua | Networks Total Controls Evaluated 227. 76 1 51 1 51 


Q Searc Last 90 Days v = 


0 0 


Total Evaluations Pass Fail High Medium Low 
- Azure Blob Storage ERE ees 
- Azure Network Security år wl co see sto POSTURE 


9 r © Uu D S SERVICES 50001 Ensure that ‘Data encryption' is set to ON for a SQL database SQL Servers 2 7 
Policy : CIS Microsoft Azure Foundations Benchmark "Total Resources: 9 
Security Center 19 
e A Z u r e S Q E D a ta b a S e S SQL Servers 5 50002 Ensure no SQL Servers allow ingress from Internet (ANY IP) SQL Servers 1 4 
Storage Account 2 Policy : CIS Microsoft Azure Foundations Benchmark Se 
^ = Virtual Machines 2 leste 
? Z LI r e S e € u rl ty G e n ii e [i Monitor 1 50003 Ensure that ‘Adaptive Application Controls' is set to On Security Center — 1 
2 more Policy : CIS Microsoft Azure Foundations Benchmark —! 
Total Resources: 1 
. Storage A t 
O r a e C C O U n S 50004 Ensure that 'Automatic provisioning of monitoring agent' is set to On Security Center 1 
: S : Policy : CIS Microsoft Azure Foundations Benchmark TELA 
Total Resources: 1 
- Logging & Monitoring 
3 50005 Ensure that System updates is set to On Security Center 1 
S e rv | (e e S Policy : CIS Microsoft Azure Foundations Benchmark amet 
‘otal Resources: 1 
50006 Ensure that 'Security Configurations' is set to On Security Center 1 
Policy : CIS Microsoft Azure Foundations Benchmark CEET 
50007 Ensure that ‘Endpoint protection’ is set to On Security Center 


Coming Dec. 2018 


Policy : CIS Microsoft Azure Foundations Benchmark e 
Total Resources: 1 


© Qualys 


Qualys Cloud Security - 
Comprehensive Coverage 


Q 


zure i ORACLE zm 
wees) Google Cloud Platfori m CJ Alibaba Cloud == 0m =o SOFTLAYER 


laaS PaaS* 


ca) (a) (9) (9) (9 


bel (oc) (ew) kel ke 
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QUALYS SECURITY CONFERENCE 2018 


@sc. 


‘Qualys Container Security 


comprehensive Security for the ever-changing Container 


Agenda 


Container Advantages 

Container Deployments 

Visibility & Control Challenges 
Qualys Container Security Solution 
Demo 

Q&A 


© Qualys 


Everybody Loves 
Containers 


Portability 


Agility 


Q 


Density 


Container Deployments 


© Qualys. 


e 
Scenario #1 
U T T U Y 1 1 T 1 
O oO o 
1. Shrinking infrastructure, as | God | =A | a 
Organizations continue d 
2 


. Containers deployed within 
Virtual Machines Host Operating System 
5. But organizations still have 
the overhead and costs of the 
hypervisor and virtual 


machines 


Infrastructure 


Deployment 
Scenario #2 


Use Case 


IM I AT 
Guest OS Guest OS Guest OS 


Ep 
I» 
Ep 


1. The orchestration battle ends 
with Kubernetes winning 80% 
of the market 


2. But organizations struggle to 
scale their own Kubernetes © Host Operating System 
clusters 


Hypervisor 


| 


Kernel 


Infrastructure 


Deployment 
Scenario #3 


m 

1. Container-as-a-Service and Container | Container | Container 
Orchestration-as-a-Service CG 

adoption Container Engine 


2. Now where do you put EO; | 
SECU rity? Orchestration as a Service 


Kernel 


LEES H ees d 
ENT 
Infrastructure 


Container Visibility & 


“Security Challenges 


© Qualys. 


Container Lifecycle Challenges 


Container Images 


Container Registry 


RCE > <= > 


What’s in the images? 
Vulnerabilities? 
OSS license exposure? 


Solution disruptive to 
my Cl Pipeline? 


Scanning report integrated 
with bug tracking? 


Registry scanning? 
Enforce compliance? 
Vulnerability, package 
and license-based 


rules? 


Vulnerability impact 
notifications? 


Container Instances 
Infrastructure 


How to protect host? 


Container engine 
configured correctly? 


Container orchestration 
configured correctly? 


Runtime app visibility? 


Runtime app protection? 
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ualys Container Security 
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Qualys Gontainer Security 


- . f Container Instances 

Container Images Container Registry WEE 
Software Composition Registry Scanning Host Protection 
Vulnerability Analysis Compliance Controls Container Engine 

| Benchmarking 
OSS License Analysis Vulnerability, Package 
| | and License-based Container Orchestration 
Pipelines 
| l Real-time Vulnerability Deep Runtime Visibility 

Bug Tracking Integration Impact Notifications E 


Runtime Protection 


© Qualys 


Qualys Container Security 


Protection for container 


Host Protection i 
CIS Benchmarks infrastructure stack 


Accurate insight and control 


Scanning & Compliance of container images 


Automated analysis and 


= sg up H > på E 
Visibility & Protection TEN Entente EE 
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© Qualys. 


TT EE 


4 Dashboard 


ei Metrics Activity Monitor Topology Date Range Last 7 Days v 
9) Images 


it’ Vulnerabilities : 
Lu + Assessment Metrics 


Warning 23 


© Containers 


Eee All Vulnerabilities (Last 7 Days) 
olicies 


Negligible Unknown 


XX Settings 729 204 


Vulnerabilities by Severity Top 5 Most Vulnerable Container Images 


JS chart by amCharts JS chart by amCharts 


jikinsel/centos:7.4.1708 


07 Nov'i8 08 Nov'i8 09 Nov'i8 10 Nov18 11Nov18 12Nov18 13 Nov'18 


H High E Medium D Low D Negligible Bl unknown Bl High B Medium D Low D Negligible Bl unknown 


Update 14 minutes ago 


Add Registry 


Name * 


Registry name 


Location * 


Location 


Type * 


Private 

v Docker Hub 
ECR 
DTR 
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Product Overview 


Qualys Container Security (CS), enables customers to build continuous security 
into their container deployments and DevOps processes at any scale, and Highlights 

integrate the results into one unified view of their global hybrid IT security and 

compliance posture, breaking down silos and lowering ownership cost. Qualys * Discover and inventory container assets across your 
container security integrates with Jenkins, Bamboo to do Image Vulnerability AWS ECS, EKS or custom EC2 container deployments 
Analysis. Scan your docker registeries like artifactory or ECR either on-demand or e Perform container-native vulnerability analysis across 
with an automated scan of images. Detect potential breaches by scan the Build pipeline like Jenkins, Bamboo, Scan ECR Registry 
running containers and detect drifts from the parent images. Adding Qualys and live container runtimes 

Vulnerability Management and Policy Compliance for the hosts gives you 
comprehensive coverage of the complete stack. Download the sidecar container 
sensor image for your specific Qualys platform, follow the instructions and 
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